Comment 9 for bug 1320235
Revision history for this message
| michael xin (jqxin2006) wrote Re: [Bug 1320235] Re: Stored XSS for /admin/users/ | #9 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
Tristan:
Thanks. Please use rackspace. Have a great day.
Michael
Sent from my iPhone
> On May 27, 2014, at 3:48 PM, Tristan Cacqueray <email address hidden> wrote:
>
> @michael xin, I'm not sure what company should I credit in this OSSA,
> your Openstack community profile mention Rackspace, is this still
> correct ?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https:/
>
> Title:
> Stored XSS for /admin/users/
>
> Status in OpenStack Dashboard (Horizon):
> Confirmed
> Status in OpenStack Security Advisories:
> Confirmed
>
> Bug description:
> The /admin/users/ page does not output encode users' email addresses
> correctly. Since there is no user input validation for the users'
> email address during creation process. It is possible to inject script
> tag into the email address. This is a stored cross site scripting
> issue.
>
> The issue can be abused to hijack user's session and implant malware,
> etc.
>
>
> For example, attached is a screen copy of Horizon for users with stored XSS in action.
>
> To manage notifications about this bug go to:
> https:/